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PREFACE 


The  Privacy  Act  of  1974  (PL  93-579)  and  0MB  guidelines  for 
Its  implementation  impose  requirements  on  Federal  agency  personal 
r ecora-keeping  practices.  This  report  presents  an  implementation 
strategy  for  the  administration  of  certain  Privacy  Act 
requirements  with  the  use  of  today's  data  base  management 
systems.  These  Privacy  Act  requirements  are  analyzed  in  the 
light  of  data  base  software  functional  characteristics,  and 
implementation  approaches  utilizing  commonly  available  data  base 
management  systems  are  described.  As  these  approaches  cannot 
anticipate  every  possible  situation,  they  should  not  be  construed 
as  an  official  compliance  standard  or  legal  interpretation 
regarding  the  Act's  provisions.  Rather,  they  provide  tools  for 
efficient  and  effective  computer  utilization  in  Privacy  Act 
compliance  by  extending  routine  processing  functions  to  include 
necessary  administrative  functions  at  minimal  additional  cost. 
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A  DATA  BASb  HAwAGEMLImT  APPROACH 
TO  PRIVACY  ACl  COMPLIAi^CE 

Elizabeth  Fong 

The  Privacy  Act  (PL  y3-57y)  provisions  on 
personal  record  hanaling  present  new  issues  con- 
cerning effective  use  of  cominercial  aata  base 
inanageraen t  systems  (DBhS)  by  E'eaeral  agencies. 
The  wiaespreaa  use  of  such  systems  in  record- 
keeping activities  will  aefinitely  have  an  impact 
on  methods  of  aaminister ing  compliance  with  the 
Privacy  Act.  This  report  proposes  a  technical  ap- 
proach to  compliance  with  certain  Privacy  Act  re- 
quirements througn  the  use  of  generalized  data 
base  management  system.  Requirements  are 
translated  into  a  set  of  computer  data  file  and 
proceoures.  Tnese  proceaures,  incorporated  at 
pivotal  points  of  data  base  software,  can  imple- 
ment those  Privacy  Act  compliance  procedures  amen- 
able to  automation.  The  use  of  DBMS  appears  to  be 
a  viable  ana  technologically  feasible  solution  to 
the  effective  and  efficient  implementation  of  many 
Privacy  Act  provisions. 


Key  words:  Computer  utilization;  oata  base 
functions;  data  oase  management  systems;  Privacy 
Act  of   li?74;  privacy  compliance  techniques. 


1.  li^TRODUCTION 

Data  Base  tManagement  Systems  (DBMS)  provide  the  tech- 
nology wnich  makes  it  possible  to  aaminister  vast  record- 
keeping on  an  efficient  oasis.  Large  computer  files  of 
several  million  recoras  now  are  used  in  all  but  the  smallest 
enterprises  to  provide  current  status  information  and  timely 
management  for  personnel,  inventories,  property,  financial 
accounts,  and  otner  functions.  Thus,  aata  base  management 
systems  are  a  key  area  for  im.plementa tion  of  procedures  and 
safeguards  to  protect  privacy  and  facilitate  compliance  with 
leg  isla t ion . 

The  Privacy  Act  of  1974  (PL  93-57y)  [IJ  sets  forth  re- 
quirements governing  Federal  agency  personnel  record-keeping 
practices.  The  key  to  the  Privacy  Act  administration  is  the 
establishment     of  policies  which  control  the  use  of  personal 
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data.  The  requirements  imply  that  certain  data  usage  and 
dissemination  be  monitored  and  controlled.  The  Privacy  Act 
provisions  on  personal  record  handling  give  rise  to  issues 
concerning  effective  use  of  commercial  data  base  management 
systems  by  Federal  agencies.  The  increasing  use  of  DBMS  by 
agencies  in  their  data  processing  to  support  their  missions 
raises  the  question  of  how  DBMS  capabilities  can  be  advan- 
tageously used  to  aid  the  administration  of  Privacy  Act  re- 
quirements . 

1.1  Motivation 

NBS  experience  shows  that  agencies'  current  compliance 
procedures  are  typically  manual.  The  questions  that  arise 
from  this  observation  are  (1)  whether  compliance  procedures 
are  amenable  to  automation;  and  (2)  if  so,  whether  these 
procedures  should  be  incorporated  in  a  generalized  data  base 
management  system. 

The  two  questions  imply  management  decisions  that  are  to 
some  extent  unique  to  each  agency.  Nevertheless,  some  gui- 
dance can  be  given  on  what  the  possibilities  are  for  using  a 
DBMS  to  implement  provisions  of  the  Privacy  Act.  This  re- 
port is  addressed  to  agencies  (1)  that  are  presently  using 
computers  for  record  storage,  and  (2)  that  either  possess  a 
DBMS,  or  consider  the  future  acquisition  of  a  DBMS  to  be  a 
distinct  possibility.  If  the  agency  is  in  this  situation, 
this  report  should  aid  in  its  efforts  to  comply  with  the 
Privacy  Act  and  to  determine  what  DBMS  capabilities  can  be 
advantageously  used. 

The  report  is  aimed,  in  particular,  at  data  base  ad- 
ministrators or  data  base  managers.  Those  agencies  with  an 
existing  DBMS  can  expect  to  learn  what  their  system  can  do 
in  complying  with  the  Act,  and  what  ways  of  using  the  DBMS 
to  implement  the  Act's  provisions  are  most  likely  to  be 
feasible.  For  those  agencies  without  an  existing  DBMS,  this 
study  can  point  out  in  what  ways  a  DBMS  could  help  them  in 
implementing  requirements  of  the  Privacy  Act. 

1.2  Scope 

The  scope  of  this  study  is  limited  to  those  compliance 
requirements  with  the  Privacy  Act  which  we  judge  to  be  good 
candidates  for  automation  by  means  of  a  data  base  manage- 
ment system.  For  official  guidance  on  specific  instructions 
on  compliance,  the  reader  is  directed  to  several  relevant 
documents  [2,3,4J.  The  0MB  Circular  No.  A-108  [2]  defines 
responsibilities  for  implementing  the  Privacy  Act.  Bushkin 
15J   provides  a  reference  manual  for  compliance  with  the  Act. 
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In  the  proceedings  of  a  workshop  "Data  Base  Directions  -  The 
Next  Step"  [6j/  tne  section  on  "Impact  of  Government  Regula- 
tions" assesses  the  impact  of  regulations  on  data  base  sys- 
tem functions.  Compliance  requirements  mentioned  in  this 
report  are  taken  from  all  of  the  above  mentioned  documents. 

Physical  security  and  "appropriate  safeguaros"  aspects 
are  treated  in  FIPS  PUB  41  [4],  and  will  not  be  covered  in 
this  study.  The  security  aspects  involving  accidential  or 
intentional  disclosure  to  unauthorized  persons  are  not 
airectly  addressed. 

For  the  purpose  of  this  study,  a  DBMS  is  characterized 
as  a  generalized  software  package,  wnich  provides  a  single 
flexible  facility  for  accommodating  different  data  files  and 
operations  while  demanding  less  programming  effort  than  con- 
ventional programming  languages,  e.g.,  COBOL.  DBMS  software 
possesses  the  following  general  properties: 

It  facilitates  operation  on  data 

such  as  data  definition,  data  storage,  data 

maintenance,  data  retrieval,  and  output. 

It  facilitates  reference  to  data  by 
name  and  not  by  physical  location. 

It  operates  m  a  software  environment  which  is  not 
tied  to  a  particular  set  of  application  programs  or 
files. 

It  is  also  assumed  that  the  data  base  contains  data 
constituting  all  or  part  of  a  "system  of  records,"  as  de- 
fineu   in  the  Privacy  Act. 

1.3  Approach 

The  overall  approach  in  this  report  is  to  gather  two 
different  sets  of  data  for     analysis.     These  data  are: 

Privacy  Act  requirements  translated  into  compliance 
proceaures  that  could  be  automated. 

Functional  cnaracter istics  within  current  DBMS  software 
for   implementing  Privacy  Act  compliance  actions. 

The  Privacy  Act  requirement  analysis,  provides  inputs 
in  the  development  of  a  set  of  data  and  procedures  for  com- 
pliance with  Privacy  Act  requirements.  Those  compliance  ac- 
tions identified  are  slightly  different  from  Goldstein's 
17, b],  whose  compliance  actions  are  used  for  evaluating  a 
number  of  alternative  compliance  methods.  For  example,  re- 
vision of  forms,   training  of  personnel,  etc.  are  considered 
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in  Goldstein's  work  but  are  not  amenable  to  implementation 
in  data  base  management  systems. 

The  second  set  of  data  gathered  for  analysis  are  the 
DBMS  functional  characteristics.  A  set  of  data  base  func- 
tions are  identified.  These  data  base  functions,  if  incor- 
porated in  a  DBMS,  will  in  fact  realize  the  Privacy  Act  com- 
pliance procedures. 

1.4     Guide  to  the  Reader 


The  reader  is  assumed  to  be  familiar  with  the  Privacy 
Act.  Detailed  analysis  of  relevant  provisions  of  the  Priva- 
cy Act  appears  in  Appendix  I.  For  purpose  of  this  report, 
the  Act's  requirements  are  classified  into  five  functional 
areas: 

Collection  of  information 
Maintenance  and  use  of  information 
(by  the  maintaining  agency) 

Data  subject  access  to  and  amendment  of  information 
Non-routine-use  and  disclosures  of  information,  and 
Public  notice  requirements 

These  five  functional  areas  are  translated  into  compliance 
procedures.  Supporting  these  compliance  procedures  are  the 
data  files  necessary  to  perform  the  compliance  actions. 
Section  3  of  this  report  examines  the  data  base  management 
system  functional  characteristics  in  terms  of  three  phases: 
input,  processing,  and  output.  Within  each  phase,  a  set  of 
DBMS  functions  are  specified.  Tnese  DBMS  functions  are 
shown  in  Section  4  to  be  those  which  implement  specific  com- 
pliance procedures.  The  correlation  of  requirements,  com- 
pliance procedures,  and  DBMS  functions  appears  in  tabular 
form  in  Appendix  II.  The  reference  section  contains  brief 
annotations . 


2.      COMPLIANCE:      DATA  AND  PROCEDURES 


To  develop  an  implementation  strategy  for     meeting  the 
Privacy    Act     requirements,   it  is  assumed  that  an  agency  has 

(1)  a  system  of  records  containing  personal   information,  and 

(2)  a  data  base  management  system  as  nucleus  software  to 
process  this  system  of  records.  The  traditional  data  base 
environment  consists  of  a  data  base  containing  files  with 
records  of  information,  plus  a  r;at  of  supporting  application 
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prog  rams . 

To  accommodate  privacy  demanos,  an  additional  set  of 
application  programs  and  supporting  data  files  are 
necessary.  The  design  of  the  data  files,  and  the 
specification  of  the  application  programs  which  are 
referred  to  as  compliance  procedures,  are  identifieo  ana 
presentea  oelow. 

2.1  Data  Files  ana  Data  Elements 

The  data  needed  in  support  of  compliance  procedures 
assumes  tne  existence  of  a  data  base  containing  personal 
information.  This  data  base  is  installed  on  a  DBi^'lS  which  is 
commercially  available.  General  criteria  for  data  base 
organization  can  be  quite  flexible  depending  on  the  data 
relations  of  the  systems  of  records  being  established. 
£>pecific  files  and  data  elements  are  suggested  here  to  be 
incorporatea  as  part  of  the  Privacy  implementation  data 
base  . 

It  is  also  assumed  that  the  data  base  nas  an  distinct 
logical  segment  containing  tne  system  of  records  of 
individual  personal  information  which  will  be  referred  to 
as  the  main  file.  Additional  data  fields  are  required  for 
the  implementation  of  Privacy  Act  compliance  proceaures. 
These  additional  data  elements,  added  to  the  logical 
segment,   for  each  aata  subject  record  in  the  main  file  are: 

-  Consent  field  -  Yes  or  No  ana  date  of  consent. 

-  Reference  indicating  the  kind  of 
consent . 

-  Disclosure  Account  field  - 

-  Number  of  times  disclosure  to  individual  himself 

-  Number  of  times  disclosure  to  third-party 

-  Number  of  times  special  disclosure 

-  Numoer  of  times  disclosure  denied 

-  Indicator  leaaing  to  an  entry  in  Disclosure 
Account    (DA)    file  described  later. 

Dispute  fiela  -  ^es  or  No, 

If  yes,   set  indicator  leading  to 
Statement  of  Dispute    (SOD)  file 
desc r  ibed  la  ter . 

Several  aaaitional  files  might  be  associated  with  a 
system  of  recoros  containing  personal  information.  The 
specification  of  these  files  and  the  aata  elements  required 
are  identified  below.  Notice  also  that  the  abbreviated  file 
name  wnich  appears  in  parenthesis  will  be  referenced  in  the 
compliance  proceaure  tables  in  appenaix  II. 
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STATEMENT  OF  DISPUTES  FILES  (SOD) .  This  file  contains 
information  of  all  the  disputes.  As  described  above,  it  is 
assumed  that,  in  the  main  file,  the  individual  record 
containing  disputed  data  about  an  individual  is  flagged  and 
a  pointer  mechanism  would  lead  to  a  record  of  this  SOD 
file.     Each  record  would  have  the  following  data  elements: 

Date  of  uispute 

Nature  of  Dispute  -  Textual  description  of  dispute 
Agency  Reason  for  Refusal  -  Textual  description  of 
refusal 

Status  -  judicial  review  or  other  legal  remedies 
Disputed  data  element  name  -  The  data  element  in 
dispute 

Disputed  data  value  -  The  data  value  in  dispute 

DISCLOSURE  ACCOUNTING  FILE  (DA) .  This  file  contains  records 
of  all  the  disclosures.  It  is  assumed  that  the  individual 
master  records  contain  three  types  of  disclosure  flags: 
disclosure  initiated  at  the  data  subject's  request,  third- 
party  disclosure,  and  special  disclosure.  In  fact,  these 
flags  can  be  the  "count"  of  each  type  of  disclosure  for  this 
particular  record.  Indices  or  pointers  would  lead  to  the 
existence  of  this  DA  record.  Each  record  in  the  DA  file 
would  have  the  following  data  elements: 

Date  of  disclosure 

Purpose  of  aisclosure     -  Textual  description 
Data  elements  -  List  of  data  element  names  disclosed 
Data  values  -  List  of  corresponding  values  disclosed 
Name  -  Person  or  agency  to  whom  disclosure  is  made 
Adoress  -     Person  or  agency  to  whom  disclosure  is  made 

PUBLIC  NOTICE  FILE  (PN) .  The  law  requires  that  an  annual 
report  for  each  system  of  records  must  be  submitted  by  April 
30th  of  each  year.  The  computer  maintenance  of  this  file  is 
optional.  The  PN  file  may  be  defined  when  establishing  a 
new  system  of  records.  The  contents  of  the  file  are  used 
for  the  announcement  notice  in  the  Federal  Register  and  can 
be  maintained  also  and  used  for  eventual  annual  review  and 
reporting  purposes.  The  file  may  contain  the  following 
data  elements: 

System  Name 
System  Location 
Categories  of  Individuals 
Categories  of  records 
Authority  for  Maintenance 
Routine  uses 

Policies  and  practices  regarding  storage 
Policies  and  practices  regarding  retr ievabil i ty 
Policies  and  practices  regarding  safeguards 
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Policies  and  practices  regarding  retention  and  disposal 
System  manager  and  address 
Notification  Procedure 
Record  access  procedure 

Name  and  aadress  of  administrator  for  disputing 
Record  source  categories   (how  source  information  is 
obta  ined ) 

MOTIF ICATIOivi  NOTICE  FILE  (NN)  .  This  may  be  a  small  file 
which  can  perhaps  be  a  subpart  of  the  PM  file.  Specific 
information  requirements  will  be  established  when  the  new 
system  of  records  is  in  effect.  This  file  may  be  used  to 
notify  individuals  of  the  existence  of  personal  information 
collection  and  maintenance  by  an  agency.  This  file  needs  to 
be  mooitiea  when  a  new  use  of  an  existing  file  occurs.  Data 
elements  consist  of: 


The  authority 

The  purpose 

The  routine  use 

-     The  effect 


STATISTICAL  FILE  (STAT) .  The 
that  the  agency  also  keep 
separate  file  may  be  establis 
data  elements  sucn  as: 


OI'IB  Guidelines  [2J  require 
statistical  information.  A 
d     containing     the  following 


Number  of  subjects  from  whom  information 

Number  who  refuse  to  provide  information 

Number  of  indiviauals  requesting  access 

Number  of  individuals  refused  access 

Number  of  refusals  appealed 

Number  of  cases  ending   in  judicial  review 

Number  of  times  time  limit  was  not  met  by 


is  collected 


the  Agency 


2.2     Compliance  Procedures 


Lacn  Privacy  Act  requirement  identified  is  translated 
side-by-side  with  the  compliance  procedures  using  a  tabular 
format.  See  the  first  two  columns  of  Appendix  II.  Vvithin 
the  proceoure  specification,  data  file  references  are  made 
using  the  acroymn  designation  indicated  in  the  previous 
sections . 


Five  broad  areas  of  Privacy  Act  requirements  are 
identifiea  to  facilitate  identification  of  compliance 
proceaures  that  are  relevant  in  a  DBi'^S  environment.  In 
Appenaix  II,  the  compliance  procedures  for  each  of  these 
areas  are  grouped  in  five  separate  tables.  Table  1  lists 
the  requirements  for  collection  of  information.  Table  2 
lists     the     requirements     for       maintenance       and       use  of 
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information  by  the  maintaining  agency.  Table  3  lists  the 
data  subject  access,  amendment  and  dispute  handling 
requirements.  Table  4  lists  the  disclosure  requirements. 
The  various  conditions  of  disclosures  are  presented  with  an 
additional  two  columns  indicating  whether  accounting  and 
consent  are  necessary.  Table  5  lists  the  public  notice 
requirements . 

In  the  next  section,   relevant  DBMS  functions     will  be 
identified  ana  then  related  to     these  compliance  procedures. 


3.      DATA  BASE  FUL^CTIOiviS 

Current  data  base  management  functional  capabilities 
are  examined  to  develop  a  set  of  technical  approaches  to 
privacy  compliance  procedures.  The  specifications  of  the 
DBMS  functions  are  generic  in  nature  and  do  not  impose  any 
requirements  on  any  particular  type  of  DBMS.  These  generic 
DBFiS  functions  identified  are  specifically  relevant  for 
implementing  the  Privacy  Act  provisions.  These  functions 
are,  for  purposes  of  clarity,  classified  under  three 
functional  phases:  input,  processing,  and  output.  Each 
function  identified  under  the  three  phases  is  numbered  and 
prefaced  with  the  letter  "I,"  "P,"  and  "0"  representing 
input,  processing  and  output  phases. 

3.1  Input  Phase 

11  -     Data  Collection 

Raw  data  collected  from  individuals  are  usually 
defined  to  the  data  base  using  the  data  definition 
facility  of  the  system.  Adjunct  packages  such  as  a 
data  directory  or  a  dictionary,  if  available,  can  be 
used  as  a  tool  to  describe  each  data  element  to  the 
system.  The  definition  will  then  facilitate  the  raw 
data  value  collected  to  be  entered  into  the  system. 

12  -  Data  Entry 

The  data  to  be  entered  into  the  data  base  can 
either  be  bulk  loaded  or  added  into  the  data  base  using 
the  update  capability.  Usually  this  feature  is 
inherent  in  the  DBMS  software. 

13  -  Data  Validation 

The  input  data  need  to  be  validated     to  insure 
accuracy     and     integrity.       Techniques     range  from  data 
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type  checking  to  specific  semantic  consistency  checks. 
Usually  some  type  of  data  validation  feature  is 
inherent  in     DBMS  available  today. 

14  -     Notification  Notice 

When  establishing  new  information  on  a  data 
subject,  a  notification  notice  is  requirea  by  the 
Privacy  Act.  This  could  be  an  automatic  print  out  of 
the  Notification  Notice  (NN)  file  as  described  in 
previous  section. 

15  -     Consent  to  Disclose 

A  form  letter  may  be  issued  to  the  data  subject 
upon  a  request  to  disclose.  If  consent  is  given,  the 
"consent"  field  in  the  aata  subject  record  in  the  main 
file  is  set  to  "YES."  A  reference  to  this  "consent" 
request  is  recorded.  If  consent  is  denied,  the 
"consent"  field  is  set  to  "NO."  At  tne  same  time  the 
Statistical  File  (STAT)  field  for  the  number  of 
individuals  refused  access  is  incremented  by  one. 

3.2  Processing 

PI  -  Periodic  Validation 

The  periodic  valioation  for  accuracy,  relevance, 
timeliness  ana  completeness  is  distinguisheo  from  data 
validation  upon  data  input.  This  requirement  is 
specifically  spelled  out  in  the  Privacy  Act.  It  is 
considered  good  information  management  practice  to 
allocate  certain  time  and  resources  for  the  validation 
of  data  integrity.  Special  software  can  be  written  to 
check  the  entire  data  base.  The  software  can  utilize 
the  validation  routines  for  data  input  or  can  provide  a 
sophisticated  checking  mechanism  specifically  tailored 
for   the  application. 

P2  -     Authenticating  data  accesses 

During  data  retrieval  or  updating,  the  user  needs  to 
be  properly  authorized  to  do  the  data  accesses. 
Password  checking  or  more  sophisticated  mechanisms  must 
be  provioea  in  the  DBMS.  However,  today's  DBMS  do 
proviae  some  method  for  authenticating  the  user,  and 
this  facility  can  be  considered  as  inherent  in  the  data 
base  software. 

P3  -     Retrieval   for  disclosure 

After   the  user  has  been  authenticated,   the  nature 
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of  disclosure  is  checked.  In  Appendix  II  of  this 
report,  the  "Conditions  of  Disclosure"  have  been 
identified.  Those  that  required  consent  of  data 
subject  must  have  the  "consent"  field  checked.  Those 
that  required  accounting  of  disclosure  must  invoke  the 
disclosure  accounting  procedure  (described  later  -  see 
P6) .  A  retrieval  command  will  produce  hard  copy  output 
to  be  given  to  the  requestor.  (The  Act  places 
restrictions  on  the  use  of  Social  Security  number; 
methodology  for  retrieving  individual  records  from 
personal  data  files  using  non-unique  identifiers  are 
descr ibed  in   [ 11 ]  . ) 

P4  -  Data  Update  Due  to  Amendment 

The  field  to  be  amended  is  retrieved  and  the 
contents  of  the  field  are  moaified  as  indicated.  The 
disclosure  accounting  of  that  record  is  also  retrieved. 
Names  and  addresses  of  individuals  are  generated. 
Letters  informing  them  of  the  correction  are  then  sent. 

p5  -     Data  Purging  due  to  specified  record  life 

Based  upon  the  condition  of  a  specific  purging 
requirement,  a  set  of  records  that  satisfied  this 
condition  is  retrieved.  The  identity  of  records  and 
date  of  purge  are  entered  into  a  separate  file  for 
backup  or  audit  purposes.  These  records  are  later 
deleted  from  the  data  base. 

P6  -     Disclosure  Accounting 

Based  upon  the  nature  of  the  disclosure,  flags  in 
the  data  subject  record  are  set  in  the  master  file.  A 
record  in  the  Disclosure  Accounting  file  (DA)  is 
created  and  data  values  for  each  data  element  specified 
in  Section  2  of  this  report  are  entered. 

P7  -     Dispute  Accounting 

The  "Dispute"  field  in  the  data  subject  record  in 
the  inaster  file  is  set.  A  pointer  leading  to  the 
record  in  the  Statement  of  Dispute  file  (SOD)  is 
created  and  data  values  for  each  data  element  specified 
in  Section  2  of  this  report  are  entered. 

3 . 3  Output 

01  -  Publish  Annual  Notice 

Every  year,  before  April  30th,  the  printout  of 
the  Public  Notice  File   (PN)    is  invoked. 
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02  -     Publish  New  Use  for  Existing  System  of  Records 

The  data  element  is  modified  to  reflect  the  new 
use  in  the  Public  Notice  file  (PN) .  The  file  for  the 
Federal  Register  announcement  is  printed  out. 

03  -  Output  Disclosure  Accounting 

Specific  data  subject's  disclosure  accounting 
record  is  printed  upon  request. 

04  -  Output  Dispute  Accounting 

Specific  data  subject's  dispute  accounting  record 
is  printed  upon  request. 

05  -     Statistical  output 

The  Statistic  file    (STAT)    is  printed  upon  request. 

3.4     General  Implementation  Comments 

All  of  the  above  identified  data  base  functions  are 
easily  implemen table  on  any  of  today's  data  base  systems  in 
the  marketplace.  Certain  functions  are  available  as  built- 
in  features  of  a  D6i*lS .  These  features  can  be  used  as  they 
exist  in  the  software  unless  more  stringent  requirements  are 
needed.  Other  privacy  requirements  are  not  directly 
available  in  the  DBMS  and  application  programs  must  be 
written.  The  following  table  summarizes  the  previously 
outlined  data  base  functions  and  shows  which  functions  can 
be  implemented  by  inherent  features  and  which  functions 
require  writing  of  application  programs. 


-11- 


Data  Base  Function 

Inherent  I 

Appl icat io 

Feature  | 

Program 

INPUT 

11  - 

Data  Collection 

y  1 

A  1 

12  - 

Data  Entry 

13  - 

Data  Validation 

X  1 

14  - 

Notification  Notice 

X 

15  - 

Consent  to  Disclose 

1 

X 

PROCESSING 

1 
1 

PI  - 

Periodic  Validation 

P2  - 

Authentication 

X 

P3  - 

Retrieval  for  disclosure 

X 

P4  - 

Update  due  to  Amendment 

1 

X 

P5  - 

Data  Purging 

1  1 

X 

P6  - 

Disclosure  Accounting 

X 

P7  - 

Dispute  Accounting 

i 

X 

OUTPUT 

1 

01 

Publish  Annual  Notice 

1 

X 

02 

Publish  New  Use 

1 

X 

03 

Output  Disclosure  Accounting 

! 

X 

04 

Output  Dispute  Accounting 

X 

05 

Output  Statistics 

Y 
A 

TABLE     -   DATA  BASE  FUNCTIONS 


The  specification  of  functions  is  at  a  generic  level 
where  the  degree  to  which  the  suggested  action  is 
implemented  is  a  management  decision  of  the  specific  agency. 
For  example,  software  techniques  for  data  validation,  or 
authenticating  user  access,  range  from  very  simple  to 
elaborate  but  costly  algorithms.  The  amount  of  validation  or 
security  control  needed  must  be  decided  by  each  individual 
agency . 


-12- 


4.      DBMS   FUNCTIONS   TO  MEET  PRIVACY  REQUIREMENTS 


The  compliance  data  and  proceaures  as  identified  in 
Section  2  can  be  correlatea  with  the  DBiMS  functions 
introauced  in  Section  3.  These  DBMS  functions  are 
impiemen table  either  via  application  programs  or  inherent  in 
tne  data  base  software.  Those  functions  that  require  the 
writing  of  application  programs  also  depend  on  the  existence 
of  the  aata  files  described  in  Section  2  of  this  report. 

In  Appendix  II,  five  separate  tables  are  illustrated  to 
cover  the  five  areas  of  the  Privacy  Act  requirements.  These 
requirements  are  translated  into  compliance  procedures.  The 
compliance  procedures  can  be  realized  with  the 
implementation  of   the  DBMS  functions  indicated. 


5.  CONCLUSIONS 


An  implementation  strategy  for  complying  with  the 
Privacy  Act  of  1974  with  the  use  of  today's  data  base 
management  systems  is  described.  A  set  of  DBMS  functions, 
either  inherent  as  built-in  data  base  features,  or  to  be 
built  via  application  programs,  are  identified.  These 
functions  can  be  written  in  the  particular  DBMS ' s  user 
language  or  tne  host  application  programming  language. 
These  functions,  together  with  the  supportive  data  file 
specifications,  can  implement  those  privacy  compliance 
procedures  that  are  suggested  to  be  automated. 

The  impact  of  Privacy  Act  compliance  on  the  use  and 
design  of  DBMS  are  assessed: 


5.1  Use  of  DBMS  to  comply 

Does  the  use  of  DBMS  significantly  improve  the 
capability  of  meeting  Privacy  Act  requirement?  The  answer 
to  that  question  is  that  tne  privacy  law  compliance  is  not 
necessarily  a  justification  for  employing  a  generalized  data 
base  management  system.  However,  it  alleviates  certain 
manual  bookeeping  activities  and  therefore  provides  more 
consistent  journaliing  by  the  computer  without  human  errors 
or  omission.  Some  benefits  as  well  as  some  negative  impacts 
of   the  use  of  a  DBMS  to  achieve  compliance  are  enumerated: 
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Benef  i ts : 

1.  The  existence  of  a  DBMS  will  make  the  implementa- 
tion of  Privacy  Act  requirements  more  uniform 
throughout  the  data  processing  user  community  and 
substantially  simplify  the  job  of  administration. 

2.  DBMS  will  be  able  to  respond  to  changing  require- 
ments more  flexibly  and  easily.  Thus,  if  new  re- 
quirements emerge,  DBMS  will  allow  certain  logical 
changes  without  significantly  affecting  the  existing 
applications. 

3.  With  the  increased  awareness  and  emphasis  on  data 
base  system  security  procedures  and  data  integrity 
mechanisms,  the  inherent  capability  of  DBMS  can  be 
used  advantageously  in  support  of  compliance  of  the 
Privacy  Act. 

4.  Usage  of  application  programs  written  for  Privacy 
Act  compliance  can  be  monitored  for  auditing  the 
administration  of  the  Privacy  Act. 

5.  The  use  of  DBMS  facilitates  the  reporting  of  sta- 
tistical and  summary  data.  For  example,  the  re- 
porting of  statistics  such  as  the  number  of  disclo- 
sures per  week  or  the  number  of  disputes  being 
amended  can  quickly  be  accomplished  with  the  use  of 
DBMS . 

Negative  Aspects: 

1.  The  data  base  management  approach  increases  the 
flexibility  for  interrelating  data  and  for  browsing, 
especially  in  an  on-line  access  (local  or  remote) 
environment.  This  may  facilitate  unauthorized  use  of 
data.  Therefore,  adequacy  of  computer  security  must 
be  considered. 

2.  A  centrally  maintained  data  base  increases  the  po- 
tential consequences  of  data  base  destruction,  so 
backup  provisions  must  be  made. 

5.2  Levels  of  Automation 


Automation  in  this  context  refers  to  privacy  compliance 
activities  that  are  performed  by  a  computer  with  data  base 
management  software.  Several  possible  alternative  levels 
exist: 
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A.  All  manual  system 

B.  Data  subject  records  flagged  automatically  but  a 
paper  file  is  retained. 

C.  Data  subject  records  flagged  automatically  with 
separate  automatic  journalling  of  disclosure  and 
dispute  accounting. 

Level  A  -  The  all  manual  status  reflects  the  majority 
of  Agencies  information  management  practices  today.  This  is 
partly  because  the  Privacy  Act  has  only  been  in  effect  since 
September  1974  and  the  agencies  are  just  beginning  to 
develop  and  design  compliance  procedures.  Also  some  agencies 
have  not  fully  converted  from  second  generation  data 
processing  techniques  to  the  use  of  a  DBMS,  and  no  software 
has  been  implemented. 

Level  B  -  This  level  requires  a  minimal  amount  of 
software  effort  if  the  data  subject  records  are  already 
automated  with  the  use  of  a  DBMS.  Some  agencies  require  the 
manual  paper  file  to  be  kept  as  evidence  of  actual  written 
letters  for  requesting  access  or  disclosure.  This  is  used 
as  proof  of  authenticity.  Therefore,  developing  software  to 
provide  for  disclosure  accounting  and  disputing  accounting 
will  be  an  additional  effort. 

Level  C  -  This  is  the  level  where  most  of  the  compliance 
procedures  are  automated  with  the  exception  of  issuing 
letters  for  acknowledgement  purposes.  There  is  no  reason 
why  the  letters  could  not  also  be  generated  by  computer. 
The  functions  specified  in  the  report,  if  properly 
incorporated  in  a  DBMS,  could  achieve  a  hign  degree  of 
automation.  The  functions  listed  also  reflect  a  reasonable 
level  of  compliance. 


5.3  Problem  Areas 

The  issue  of  level  of  compliance  is  left  to  the 
agency's  decision.  In  the  areas  where  the  Privacy  Act 
requires  a  logging  activity  or  issuance  of  an  announcement, 
compliance  is  straightforward.  However,  in  the  areas  of 
security  control  and  data  integrity,  just  how  much  is  enough 
is  not  quantifiable. 

A  precise  definition  of  minimum  level  of  privacy 
compliance  does  not  exist.  There  are  also  some  areas  where 
the  law  is  open  to  interpretation.     For  example: 

Keeping  track  of  disclosures  to  secondary  and 
tertiary  users. 
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Safeguarding  against  inferences  being  made  on  the 
data. 

Keeping  track  of  a  data  subject's  consent  for  a  new 
routine  use  on  an  existing  system  of  records. 

Such  compliance  procedures  may  prove  to  be  prohibitively 
costly  to  implement  and  could  unnecessarily  over-burden  a 
data  base  system. 

5.4  Summary 


The  approach  of  using  DBMS  to  comply  with  the  Privacy 
Act  represents  an  ad  hoc  solution  using  today's  systems 
rather  than  complete  redesign  of  systems.  Privacy  Act 
compliance  is  not  necessarily  a  justification  for  employing 
a  DBMS,  however,  if  an  agency  is  using  or  is  contemplating 
the  use  of  a  DBMS,  it  appears  that  privacy  compliance 
procedures  can  be  easily  incorporated  with  the  data  base 
functions  described. 

The  degree  to  which  the  suggested  actions  are 
implemented  is  a  management  decision  of  the  specific  agency. 
However,  the  suggested  functions  reflect  an  achievable 
level  of  compliance. 

Tne  administration  of  compliance  can  be  made  easily 
accountable.  In  particular,  this  means  the  operating  cost 
of  Privacy  compliance  will  be  easily  identifiable  via 
software  logging.  This  factor  alone  benefited  the  use  of 
DBMS  for  Privacy  compliance. 

The  use  of  DBMS  means  a  more  stringent  administrative 
control  with  the  operating  environment.  Tne  complexity  of 
DBMS  environment  requires  knowledgeable  system  personnel 
and  data  base  administrators  to  control  data  accesses  and 
systematic  logging  and  reporting.  Physical  security  needs 
to  be  tighter  to  alleviate  the  fear  of  potential 
destruction.  Hardware  and  software  need  to  be  "certifiea" 
for  reliability  and  quality  assurance. 

Tne  use  of  DBMS  imposes  a  more  sophisticated  requirement 
for  access  control  and  data  integrity  checks  in  the  data 
base  system.  Today's  DBMS  supplied  by  the  vendors  have 
inadequate  protection  mechanisms  for  providing  controlled 
accesses.  More  research  in  security  and  integrity 
techniques  is  needed  in  future  DBMS  to  achieve  adequate 
security  measures. 


-16- 


REFERENCES 


[1]     Privacy  Act  -  Public  Law  93-579,   Dec  31,  1974 

The  Privacy  Act  of  1974. 

[2]  0MB  Circular  No.  A-108,  and  accompanying  "Privacy  Act 
Guidelines,"  Federal  Register  Vol.  40,  No.  132,  July  9, 
1975. 

This  circular  defines  responsibilities  for 
implementing  the  Privacy  Act  of  1974. 

[3]  National  Bureau  of  Standards,  "Index  of  Automated 
System  Design  Requirements  as  Derived  from  the  0MB 
Privacy  Act  implementation  Guidelines,"  NBSIR75-909, 
Oct.  1975.  (Available  as  PB  246-863  from  the  National 
Technical  Information  Services,  Springfield,  Va. 
22161. ) 

Tnis  index  is  a  list  of  certain  requirements  which 
must  be  considered  by  Federal  personnel  in  order  to 
comply  with  Privacy  Act.  Each  requirement  listed 
contains  a  reference  to  an  applicable  part  of  the 
Privacy  Act  and  to  a  page  and  column  number  of  the  OMB 
guidelines  as  they  appear   in  the  Federal  Register. 

[4j  Federal  Information  Processing  Standards  Publication, 
FIPS  PUB  41,  "Computer  Security  Guidelines  for 
Implementing  the  Privacy  Act  of  1974,"  May  30,  1975. 
Available  From:  U.S.  Government  Printing  Office, 
Washington,   D.C.    20402,   SD  Catalog  C  13.52:41. 

This  document  describes  technical  and  procedural 
means  for  safeguarding  personal  data  in  automated 
information  systems. 

[5J  Busnkin,  Arthur  A,  &  Samuel  I.  Schaen,  "  The  Privacy 
Act  of  1974:  A  Reference  Manual  for  Compliance,"  System 
Development  Corp.  7929  Westpark  Dr.,  McLean,  Va.  22101, 
May  3,  1976. 

This  document  is  primarily  intended  to  be  a 
comprehensive  reference  manual  for  those  people  who,  in 
the  course  of  their  jobs,  must  work  with  information 
systems  subject  to  the  Privacy  Act  of  1974. 


[6J     Berg,   John    (Editor),    "Data  Base  Directions  -     The  Next 
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steps"  National  Bureau  of  Standards,  Special 
Publication  451,  Sept.  1976. 

This  report  is  the  proceedings  of  a  workshop  held 
in  Fort  Lauderdale,  Florida  on  October  29,  30  and  31, 
1975.  Among  the  five  subject  areas  discussed,  the 
chapter  on  "Impact  of  Government  Regulation"  is 
particularly  relevant  for  this  report.  This  chapter 
identifies  twenty  areas  of  regulations.  The  impact  of 
these  regulations  with  a  selected  set  data  base  system 
factors  is  assessed. 

[7]  Goldstein,  Robert  C.,  Henry  H.  Seward  and  Richard  L. 
Molan,  "A  Methodology  for  Evaluating  Alternative 
Technical  and  Information  Management  Approaches  to 
Privacy  Requirements,"  National  Bureau  of  Standards 
Technical  Note  906,  June  1976.  Available  from:  U.S. 
Government  Printing  Office,  Washington,  D.C.  20402,  SD 
Catalog  013,46:906. 

This  document  presents  a  logical,  structured 
method  for  evaluating  alternative  technical  and 
information  management  approaches  for  compliance  with 
the  Privacy  Act.  The  Privacy  Act  law  is  grouped  into  4 
general  requirements.  These  requirements  are 
translated  into  compliance  steps.  Each  step  contained 
one  or  more  actions  to  be  taken  by  the  system.  If 
these  actions  can  be  accomplished  via  computer 
software,  then,  the  algorithm  and  cost  of  developing 
this  action  is  defined.  The  cost  is  expressed  as 
parameters  to  a  cost  model. 

[8]  Goldstein,  Robert  0.  and  Henry  H.  Seward,  "A  Computer 
Model  to  Determine  Low  Cost  Techniques  to  Comply  with 
the  Privacy  Act  of  1974,"  National  Bureau  of  Standards 
Interagency  Report  NBSIR  76-985,  Feb.  1976.  (Available 
as  PB  250-754  from  the  National  Technical  Information 
Services,   Springfield,   Va.  22161.) 

This  document  contains  a  complete  description  of 
the  steps  necessary  to  run  the  DPM  Cost  of  Privacy 
Model  along  with  a  description  of  the  computer  program. 

[9]  HEW,  "Records,  Computers,  and  the  Rights  of  Citizens," 
Report  of  the  Secretary's  Advisory  Committee  on 
Automated  Personal  Data  Systems,  DHEW  Publication  No. 
(OS)83-97,  U.S.  Department  of  Health,  Education,  and 
Welfare,  July  1973. 

This  document  discusses  in  detail  the  rights  of 
citizens  as  permitted  by  legislation  and  recommends 
actions  and  responsibilities  for   the  Secretary  of  HEW. 
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[10J  Office  of  the  Federal  Register,  National  Archives  and 
Records  Service,  General  Services  Administration, 
"Protecting  Your  Right  to  Privacy  --"  No  Date. 


This  document  contains  a  digest  of  system  records 
of  each  of  the  Federal  Agencies,  Agency  Rules  of  each 
Agency  and  research  aids. 

[11]  Moore,  G.  B.  et  al . ,  "Accessing  Individual  Records  From 
Personal  Data  Files  Using  Non-Unique  Identifiers," 
National  Bureau  of  Standards  Special  Publication  500-2, 
Feb.  1977. 

This  report  describes  methodologies  for  retrieving 
an  individual's  record  without  the  use  of  a  universal 
identifier . 
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APPENDIX  I      -  PRIVACY  ACT  REQUIREMENTS 


There  are  a  number  of  ways  one  can  classify  the 
Privacy  Act  for  analysis;  the  Act  itself  specifically  men- 
tions the  "collection,  maintenance,  use,  and  dissemination" 
of  personal  information,  but  follows  a  somewhat  different 
breakdown  in  the  body  of  the  legislation.  This  breakdown  is 
chosen  so  that  it  accords  more  or  less  with  the  flow  of  in- 
formation to,  from,  and  within  an  organization,  as  such  a 
breakdown  appears  most  useful  to  the  information  specialists 
for  whom  this  report  is  written.  Specifically,  the  Act  will 
be  considered  from  five  viewpoints: 

.  collection  of  information, 

.  maintenance  and  use  of  information 

(by  the  maintaining  agency)  , 
.  data  subject  access  to  and  amendment  of  information, 
.  non-routine-use  and  disclosures  of  information,  and 
.  public  notice  requirements. 

This  section  is  a  brief  summary  of  the  requirements  of 
the  Act,  and  should  not  be  used  as  guidance  for  general  com- 
pliance with  the  Act's  provisions.  For  official  guidance, 
the  reader  is  referred  to  [2,4];  other  guidance  may  be  found 
in  [3,5,7,8].  It  is  assumed  that  the  reader  is  reasonably 
familiar  with  terms  specific  to  the  Privacy  Act,  such  as 
"system  of  records,"  "disclosure,"  etc.  These  terms  are  de- 
fined in  the  Act. 

Collection 

Clearly,  the  Act  intends  that  agencies  only  collect  in- 
formation that  is  "both  relevant  and  necessary  for  an  agency 
purpose  authorized  by  statute  or  executive  order"  [5]. 
Furthermore,  information  collection  on  the  exercise  of  First 
Amendment  rights  is  --  with  minor  exceptions  —  specifically 
prohibited.  If  information  may  be  subsequently  used  to  make 
an  adverse  determination  about  an  individual,  then  the  col- 
lecting agency  must  strive  to  collect  that  information 
directly  from  the  individual  himself;  if  collection  from  a 
third  party  is  necessary,  then  the  agency  must  attempt  to 
verify  such  information  with  the  individual.  When  distri- 
buting a  request  for  information,  the  request  should  be  ac- 
companied by  an  explanation  of  what  the  information  will  be 
used  for,  and  under  what  authority  it  is  being  collected. 
All  information  collected — regardless  of  source — must  be 
verified  by  the  collecting  agency.  Reasonable  efforts  must 
be  demonstrated  by  the  agency  to  ensure  its  accuracy  and 
relevance.  Furthermore,  the  information  should  be  noted 
upon  receipt  if  it  is  (1)  from  a  third  party,  and  if  so, 
whether     verified     with     the  individual  or  not;    (2)  obtained 
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witn  an  explicit  promise  of  confidentiality;  and  (3)  sensi- 
tive in  nature  (medical  or  national  security  information, 
for  example) . 

Maintenance  and  Use 

Agencies  must  maintain  and  use  their  personal  informa- 
tion records  in  a  manner  tnat  ensures  fairness  to  the  indi- 
viouals  in  question.  Tney  must  take  reasonable  precautions 
against  misuse  of  information,  and  against  use  of  incorrect 
or  out-of-date  information.  In  particular,  they  must  pro- 
vide training  for  employees  in  the  requirements  of  the  Act 
if  those  employees  will  De  handling  personal  information. 
They  must  at  least  annually  review  information  on  file  to 
ensure  tnat  it  is  not  a  record  of  the  exercise  of  First 
Amenoment  rights,  and  generally  to  ensure  that  all  aspects 
of  the  Privacy  Act  are  continuously  being  adhered  to  (this 
is  the  "annual  review"  of  the  Act).  In  addition,  agencies 
must  purge  recoras  after  their  useful  life  has  expired,  but 
must  retain  the  accounting  of  disclosures  of  records  (see 
"Non-routine-use  disclosures")  for  at  least  five  years  after 
the  accounting  was  maae,  or  for  the  life  of  the  record, 
whichever  is  longer.  Normally,  agencies  will  only  disclose 
information  (1)  within  the  agency,  to  those  employees  who 
have  a  need  to  know  tne  information  for  the  regular  perfor- 
mance of  their  auties;  or  (2)  outside  the  agency,  for  an  es- 
tablished "routine  use."  Exceptions  to  these  two  conditions 
are  aiscussed  under  " iNion-rout ine-use  disclosures,"  below.  A 
"routine  use"  is  established  through  the  publication  of  an- 
nual reports  and  notices:   see  "Public  notice  requirements." 

Furthermore,  agencies  must  ensure  the  confidentiality 
and  security  of  personal  records  by  "establishing  appropri- 
ate aaministr ative ,  technical,  and  physical  safeguards"  [1] 
against  any  anticipated  breach  of  confidence  or  physical  in- 
tegrity. Agencies  woulo  also  be  wise  to  consult  legal  coun- 
sel regarding  certain  issues  of  records  use,  such  as  whether 
tne  copying  of  all  or  portions  of  a  system  of  records  for 
internal  agency  disclosure  constitutes  itself  the  creation 
of  a  new  system  of  records. 

Access,  Amenoments,   and  Disputes 

Tne  Privacy  Act  guarantees  that  an  individual  be  able 
to  determine  the  existence  of  any  information  about  him  in 
any  agency's  system  of  records,  ana  that  he  be  able  to  see, 
nave  a  copy  of,  and  correct  such  records.  Thus  agencies  are 
called  upon  to  establish  procedures  to  provide  these  four 
guarantees.  when  disclosing  information  to  a  requesting  in- 
diviaual,  however,  the  agency  can  filter  the  information  to 
remove:  (1)  items  having  possible  adverse  effects  on  the  in- 
aividual  (meoical  information,  for  example); 
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(2)  confidential  sources  of  information  (if  an  implied  prom- 
ise of  conf iaential i ty  was  given  to  tne  source  before  Sept 
I'^IA;  or  an  explicit  promise  after  tnat)  ;  (3)  CIA  or  crimi- 
nal law  enforcement  information;  (4)  classified  national  de- 
tense  information;  (5)  information  about  protection  of  the 
Presiaent  of  the  U.S.;  (b)  information  required  by  statute 
to  be  for  statistical  purposes  only;  (7)  investigatory  ma- 
terial compilea  for  employment  checks;  (b)  testing  and  exam- 
ination material  for  employment;  and  (y)  information  regard- 
ing future  promotions   (in  the  military). 

Each  access  by  an  individual  to  his  own  recoras  is  to 
be  considerea  a  disclosure  by  the  maintaining  agency,  and  as 
such,  must  be  loggea  in  tne  agency's  accounting  of  disclo- 
sures (see  "iMon-routine-use  disclosures").  In  addition,  if 
the  indiviaual  so  requests,  the  agency  must  provioe  access 
to  that  accounting  of  disclosures,  so  that  an  individual  may 
determine  what  information  about  nim  is  being  disseminated, 
to  wnom,  and  for  what  purpose.  The  agency  may  not  require 
that  tne  requesting  indiviaual  know  particular  identifying 
codes  or  numbers  unique  to  the  system  of  records  in  question 
in  order  to  facilitate  the  agency's  finding  relevant  infor- 
mation; it  must  be  sufficient  that  he  know  such  common  par- 
ticulars as  name,  age,  place  of  birth,  residence,  etc.  The 
information  so  disclosed  must  be  in  a  form  comprehensible  to 
the  requesting  individual,  and  tne  individual  may,  if  ne 
wishes,  be  accompanied  by  a  person  of  his  own  choosing. 

Of  pivotal  importance  to  the  letter  and  spirit  of  the 
Act  is  tne  requirement  that  an  individual  be  allowed  to 
correct  erroneous  information  about  himself.  Thus  agencies 
must  establish  procedures  to  permit  individuals  to  submit 
corrections  to  their  records.  If  the  agency  acknowledges  an 
individual's  correction,  it  must  make  the  correction  and  in- 
form all  previous  recipients  of  the  erroneous  information  of 
its  corrected  content.  Should  the  agency  determine,  howev- 
er, that  a  correction  is  unwarranted,  it  must  permit  the  in- 
dividual to  file  a  statement  of  dispute.  A  notation  of  that 
statement  must  be  made  integral  to  the  record  in  question, 
and  the  dispute  statement  itself  must  be  included  witn  sub- 
sequent disseminations  of  the  record.  The  agency  may  also 
file  its  own  reasons  for  denying  the  correction,  and  dissem- 
inate those  reasons  along  with  the  record  and  associated 
dispute  statement. 

Non-Ro utine-Use  Disclosures 

If  disclosure  of  information  is  not  within  the  agency, 
not  for  a  publisned  routine  use,  and  not  to  the  individual 
subject  of  the  records,  then  in  general  the  agency  must  ob- 
tain permission  from  the  subject  to  make  the  disclosure. 
Lven  with  that  permission,  however,     disclosure     is     at  the 
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agency's  discretion.  Exceptions  to  this  requirement  for 
permission  occur  in  cases  of  disclosure  to  the  following 
(parentneses  indicate  whether  disclosure  is  at  the  agency's 
d  iscret ion)  : 

.   to  Congress  (discretionary) 

.  for  law  enforcement  (discretionary, 

unless  overridden  by  statute) 
,  under  compulsory  legal  process   (not  discretionary) 
.   in  an  emergency  (discretionary) 
.  for  statistical  purposes  (discretionary) 
.   to  the  Census,   GAO,   or  National  Archives 

(discretionary,   treatea  essentially  the  same 

as  a  routine  use  Disclosure) 

It  oisclosed  to  other  than  another  goverment  agency, 
information  must  be  verified  for  accuracy,  relevance,  timel- 
iness, ana  completeness  and  filterea  to  remove  information 
not  relevant  to  the  request.  If  a  statement  of  dispute  is 
relevant  to  the  disclosure,  that  statement  must  of  course  be 
incluaeo.  An  accounting  of  the  disclosure  must  be  made. 
Information  disclosure  may  be  requested  unaer  the  Freedom  of 
Information  Act,  and  if  that  Act  is  relevant,  disclosure  may 
not  DC  denied,  nor  need  an  accounting  be  kept. 

Public  Notice  Requirements 

A  fundamental  provision  of  the  Privacy  Act  that  echoes 
the  HEW  Report  t^]  is  that  no  system  of  records  can  be 
secret  in  its  very  existence.  To  this  end,  the  Act  requires 
extensive  pu-olic  announcements  concerning  each  agency's  sys- 
tem of  records,  and  certain  announcements  to  the  Congress. 

Public  notice  must  be     given     (in     the     Federal  Register) 

(1)  of  any  new  system  of  records;  (2)  of  any  new  routine 
uses  for  existing  systems  of  records;  and  (3)  annually  for 
all  systems  of  records.  A  significant  change,  say  in  the 
numoer,  type  or  categories  of  individuals  in  the  system,  or 
the  potential  for  access  to  existing  records,  can  trigger 
the  requirement  tor  a  new  system  of  records  notice.  Furth- 
ermore, agencies  must  report  to  Congress  on  their  activities 
unoer  the  Privacy  Act.  Specifically,  they  must  provide  a 
report     (1)   on     any     proposed     new     system     of     records,  and 

(2)  annually  on  all  systems  of  records  and  on  a  number  of 
facets  of  compliance  with  the  Act,  e.g.,  information  system 
plans,  improvements  in  records  manageinent  policies  and  pro- 
cedures, problems  with  compliance,  statistics  on  the  number 
of  inquiries,  amendment  requests,  denials  of  requests,  and 
so  on . 
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TABLE  3  -  ACCESS,   AMEND,   AND  DISPUTE  REQUIREMENTS 


REOUIREMENTS  1 

COMPLIANCE  PROCEDURES  I 

DBMS  FUNCTIONS 

ACCESS  1 

1.   Inform  individual  whether  a  system  I 
of  records  contains  a  record  I 
pertaining  to  him  upon  request  I 

.  Notification  to  subject  I 

14 

2.  Permit  individual  to  review  I 
records  pertaining  to  him  1 

.  Verify  identification  of  ind.  I 
.  Retrieve  the  record  via  software  I 

P2 
P3 

3.  Permit  inaividual  to  be  1 
accompanied  1 

4.  Permit  the  individual  to  1 
ODtain  a  copy  of  such  1 
recoro  1 

.   Print  out  specified  contents  of  I 
data  elements  1 

P3 

AhENDMEi<iT  1 

1.  Amendment  request  originates  from  I 
individual  1 

2.  Agency  sena  written  acKnowledgement I 
of  the  receipt  of  the  amendment  I 
request  within  10  days  1 

.   Issue  form  letter  acknowledging  I 
receipt  of  amendment  request  1 

3.  Agency  agrees  to  amend  1 
3a.  Advise  individual  1 

3b.  Correct  the  record  1 
3c.  Advise  all  previous  1 
recipients  of  the  correction  I 

.   Issue  form  letter  informing  of     the  1 
acceptance  1 

.  Modify  the  record  via  software  1 

.  Retrieve  disclosure  accounting  for  | 
that  record  1 

.   Issue  letter  informing  of  the  1 
correction  and  substance  of  I 
the  correction  1 

P4 
03 
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Superintendent  of  Documents, 
Government  Printing  Office, 
Washington,  D.  C.  20402 

Dear  Sir: 

Please  add  my  name  to  the  announcement  list  of  new  publications  to  be  issued  in 
the  series:  National  Bureau  of  Standards  Special  Publication  500-. 
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Company  
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(Notification  key  N-503) 


NBS  TECHNICAL  PUBLICATIONS 


PERIODICALS 

JOURNAL  OF  RESEARCH  reports  National  Bureau 
of  Standards  research  and  development  in  physics, 
mathematics,  and  chemistry.  It  is  published  in  two 
sections,  available  separately: 

•  Physics  and  Chemistry  (Section  A) 

Papers  of  interest  primarily  to  scier'  orking  in 

these  fields.  This  section  covers  a  br  ^  .ige  of  physi- 
cal and  chemical  research,  wit*-  ^r  emphasis  on 
standards  of  physical  measu"  ^  il^  ,  fundamental  con- 
stants, and  properties  of  m^  ^*  '.asued  six  times  a  year. 
Annual  subscription:  D-    \o"*c,  S17.00;  Foreign,  $21.25. 

•  Mathematical  Sci'  ^ycft^Section  B) 

Studies  and  com'-  ^*  ..s  designed  mainly  for  the  math- 
ematician anH  .Q<v*<;tical  physicist.  Topics  in  mathemat- 
ical statis*'^^c^^.ieory  of  experiment  design,  numerical 
analysi'  ^  ^retical  physics  and  chemistry,  logical  de- 
sign ^>  programming  of  computers  and  computer  sys- 
f  jjN^nort  numerical  tables.  Issued  quarterly.  Annual 
st^  jcription:  Domestic,  $9.00;  Foreign,  $11.25. 

DIMENSIONS/NBS  (formerly  Technical  News  Bulle- 
tin)— This  monthly  magazine  is  published  to  inform 
scientists,  engineers,  businessmen,  industry,  teachers, 
students,  and  consumers  of  the  latest  advances  in 
science  and  technology,  with  primary  emphasis  on  the 
work  at  NBS.  The  magazine  highlights  and  reviews 
such  issues  as  energy  research,  fire  protection,  building 
technology,  metric  conversion,  pollution  abatement, 
health  and  safety,  and  consumer  product  performance. 
In  addition,  it  reports  the  results  of  Bureau  programs 
in  measurement  standards  and  techniques,  properties  of 
matter  and  materials,  engineering  standards  and  serv- 
ices, instrumentation,  and  automatic  data  processing. 

Annual  subscription :  Domestic,  .S12..50:  Foreign, .$15.65. 

NONPERIOOICALS 

.Monographs — Major  contributions  to  the  technical  liter- 
ature on  various  subjects  related  to  the  Bureau's  scien- 
tific and  technical  activities. 

Handbooks — Recommended  codes  of  engineering  and 
industrial  practice  (including  safety  codes)  developed 
in  cooperation  with  interested  industries,  professional 
organizations,  and  regulatory  bodies. 
Special  Publications — Include  proceedings  of  conferences 
sponsored  by  NBS,  NBS  annual  reports,  and  other 
special  publications  appropriate  to  this  grouping  such 
as  wall  charts,  pocket  cards,  and  bibliographies. 
Applied  .Mathematics  Series — Mathematical  tables,  man- 
uals, and  studies  of  special  interest  to  physicists,  engi- 
neers, chemists,  biologists,  mathematicians,  com- 
puter programmers,  and  others  engaged  in  scientific 
and  technical  work. 

National  Standard  Reference  Data  Series — Provides 
quantitative  data  on  the  physical  and  chemical  proper- 
ties of  materials,  compiled  from  the  world's  literature 
and  critically  evaluated.  Developed  under  a  world-wide 
program  coordinated  by  NBS.  Program  under  authority 
of  National  Standard  Data  Act  (Public  Law  90-396). 


NOTE:  At  present  the  principal  publication  outlet  for 
these  data  is  the  Journal  of  Physical  and  Chemical 
Reference  Data  (JPCRD)  published  quarterly  for  NBS 
by  the  American  Chemical  Society  (ACS)  and  the  Amer- 
ican Institute  of  Physics  (AIP).  Subscriptions,  reprints, 
and  supplements  available  from  ACS,  1155  Sixteenth 
St.  N.W.,  Wash.  D.  C.  20056. 

Building  Science  Series — Disseminates  technical  infor- 
mation developed  at  the  Bureau  on  building  materials, 
components,  systems,  and  whole  structures.  The  series 
presents  research  results,  test  methods,  and  perform- 
ance criteria  related  to  the  structural  and  environmental 
functions  and  the  durability  and  safety  characteristics 
of  building  elements  and  systems. 

Technical  Notes — -Studies  or  reports  which  are  complete 
in  themselves  but  restrictive  in  their  treatment  of  a 
subject.  Analogous  to  monographs  but  not  so  compre- 
hensive in  scope  or  definitive  in  treatment  of  the  sub- 
ject area.  Often  serve  as  a  vehicle  for  final  reports  of 
work  performed  at  NBS  under  the  sponsorship  of  other 
government  agencies. 

Voluntary  Product  Standards — Developed  under  proce- 
dures published  by  the  Department  of  Commerce  in  Part 
10,  Title  15,  of  the  Code  of  Federal  Regulations.  The 
purpose  of  the  standards  is  to  establish  nationally  rec- 
ognized requirements  for  products,  and  to  provide  all 
concerned  interests  with  a  basis  for  common  under- 
standing of  the  characteristics  of  the  products.  NBS 
administers  this  program  as  a  supplement  to  the  activi- 
ties of  the  private  sector  standardizing  organizations. 
Consumer  Information  Series — Practical  information, 
based  on  NBS  research  and  experience,  covering  areas 
of  interest  to  the  consumer.  Easily  understandable  lang- 
uage and  illustrations  provide  useful  background  knowl- 
edge for  shopping  in  today's  technological  marketplace. 

Order  above  NBS  publications  from:  Superintendent 
of  Documents,  Government  Printing  Office,  Washington, 
D.C.  2()J,02. 

Order  following  NBS  publications— NBSlR's  and  FIPS 
from  the  National  Technical  Information  Services, 
Springfield,  Va.  22161. 

Federal  Information  Processing  Standards  Publications 
(FIPS  PUBS) — Publications  in  this  series  collectively 
constitute  the  Federal  Information  Processing  Stand- 
ards Register.  Register  serves  as  the  official  source  of 
information  in  the  Federal  Government  regarding  stand- 
ards issued  by  NBS  pursuant  to  the  Federal  Property 
and  Administrative  Services  Act  of  1949  as  amended, 
Public  Law  89-306  (79  Stat.  1127),  and  as  implemented 
by  Executive  Order  11717  (38  FR  12315,  dated  May  11, 
1973)  and  Part  6  of  Title  15  CFR  (Code  of  Federal 
Regulations). 

NBS  Interagency  Reports  (NBSIR) — A  special  series  of 
interim  or  final  reports  on  work  performed  by  NBS  for 
outside  sponsors  (both  government  and  non-govern- 
ment). In  general,  initial  distribution  is  handled  by  the 
sponsor;  public  distribution  is  by  the  National  Techni- 
cal Information  Services  (Springfield,  Va.  22161)  in 
paper  copy  or  microfiche  form. 


BIBLIOGRAPHIC  SUBSCRIPTION  SERVICES 


The  following  current-awareness  and  literature-survey 
bibliographies  are  issued  periodically  by  the  Bureau: 
Cryogenic  Data  Center  Current  Awareness  Service.  A 
literature  survey  issued  biweekly.  Annual  subscrip- 
tion: Domestic,  $25.00  ;  Foreign,  830.00. 
Liquified  Natural  Gas.  A  literature  survey  issued  quar- 
terly. Annual  subscription:  $20.00. 


Superconducting  Devices  and  Materials.  A  literature 
survey  issued  quarterly.  Annual  subscription:  $.30.00  . 
Send  subscription  orders  and  remittances  for  the  pre- 
ceding bibliographic  services  to  National  Bureau  of 
Standards,  Cryogenic  Data  Center  (275.02)  Boulder, 
Colorado  80302. 
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